JaasSecurityDomainSocketFactory

Starting in JBoss AS 5.2 Beta, EAP 4.2 CP08 and EAP 4.3 CP06 there is a new SSLSocketFactory implementation available that can use a JaasSecurityDomain to configure SSL connections.

This is useful if you need a custom SSLSocketFactory to use with LDAP, Remoting (for WebServices for example), etc or simply want to use a particular alias from a keystore (which would not be possible by using the "javax.net.ssl.keyStore" property).

 

LDAP Example:

 

In conf/login-config.xml add the "java.naming.ldap.factory.socket" option to either LdapExtLoginModule  or LdapLoginModule in your security domain configuration:

 

<application-policy name="mySecDomain">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
      <module-option name="java.naming.provider.url">ldaps://localhost:636</module-option>
      ...
      <module-option name="java.naming.ldap.factory.socket>org.jboss.security.ssl.JaasSecurityDomainSocketFactory</module-option>
    </login-module>
  </authentication>
</application-policy>

 

Add the "org.jboss.security.ssl.domain.name" system property at startup. This is the name of the JaasSecurityDomain:

 

For Linux:

Edit $JBOSS_HOME/bin/run.conf:

JAVA_OPTS="$JAVA_OPTS -Dorg.jboss.security.ssl.domain.name=ldaps"

 

For Windows:

Edit $JBOSS_HOME/bin/run.bat:

set JAVA_OPTS=%JAVA_OPTS% -Dorg.jboss.security.ssl.domain.name=ldaps

 

Remoting Connectors Example:

 

Any Remoting connector can be set to specify the clients's socket factory that will be used for SSL communication, so if mutual SSL authentication is required, the client just needs to setup a JaasSecurityDomain bean and by connecting to the server it will automatically use that configuration for SSL. Here is an example for the connector used for EJB2:

 

<mbean code="org.jboss.remoting.transport.Connector"
          name="jboss.remoting:service=Connector,transport=socket"
          display-name="Socket transport Connector">
      <attribute name="Configuration">
         <!-- Using the following <invoker> element instead of the InvokerLocator above because specific attributes needed. -->
         <!-- If wanted to use any of the parameters below, can just add them as parameters to the url above if wanted use the InvokerLocator attribute. -->
         <config>
            <!-- Other than transport type and handler, none of these configurations are required (will just use defaults). -->
            <invoker transport="sslsocket">
               <attribute name="dataType" isParam="true">invocation</attribute>
               <attribute name="marshaller" isParam="true">org.jboss.invocation.unified.marshall.InvocationMarshaller</attribute>
               <attribute name="unmarshaller" isParam="true">org.jboss.invocation.unified.marshall.InvocationUnMarshaller</attribute>
               <!-- This will be port on which the marshall loader port runs on.  -->
               <!-- <attribute name="loaderport" isParam="true">4447</attribute> -->
               <!-- The following are specific to socket invoker -->
               <!-- <attribute name="numAcceptThreads">1</attribute>-->
               <!-- <attribute name="maxPoolSize">303</attribute>-->
               <!-- <attribute name="clientMaxPoolSize" isParam="true">304</attribute>-->
               <!-- <attribute name="timeout" isParam="true">60000</attribute> -->
               <attribute name="serverBindAddress">${jboss.bind.address}</attribute>
               <attribute name="serverBindPort">4446</attribute>
               <!-- <attribute name="clientConnectAddress">216.23.33.2</attribute> -->
               <!-- <attribute name="clientConnectPort">7777</attribute> -->
               <attribute name="enableTcpNoDelay" isParam="true">true</attribute>
               <attribute name="serverSocketFactory">jboss.remoting:service=ServerSocketFactory,type=SSL</attribute>
               <attribute name="useAllSocketFactoryParams" isParam="true">true</attribute>
               <attribute name="socketFactoryClassName" isParam="true">org.jboss.security.ssl.JaasSecurityDomainSocketFactory</attribute>
            </invoker>

            <!-- At least one handler is required by the connector.  If have more than one, must decalre -->
            <!-- different subsystem values.  Otherwise, all invocations will be routed to the only one -->
            <!-- that is declared. -->
            <handlers>
               <!-- can also specify handler by fully qualified classname -->
               <handler subsystem="invoker">jboss:service=invoker,type=unified</handler>
            </handlers>
         </config>
      </attribute>
      <depends>jboss.remoting:service=NetworkRegistry</depends>
      <depends>jboss.remoting:service=ServerSocketFactory,type=SSL</depends>
</mbean>

Note the addition of useAllSocketFactoryParams and socketFactoryClassName attributes.

 

WebService Example:

 

TBD

 

A JaasSecurityDomain Example:

For EAP 4.x (MBean):
<mbean code="org.jboss.security.plugins.JaasSecurityDomain" name="jboss.security:service=JaasSecurityDomain,domain=ldaps">
  <constructor>
    <arg type="java.lang.String" value="ldaps"/>
  </constructor>

  <attribute name="KeyStoreURL">localhost.keystore</attribute>
  <attribute name="KeyStoreAlias">ldaps</attribute>
  <attribute name="KeyStorePass">changeit</attribute>

  <attribute name="TrustStoreURL">localhost.truststore</attribute>
  <attribute name="TrustStorePass">changeit</attribute>
</mbean>

 

For AS 5.x (JBoss Bean):
<bean name="JaasSecurityDomain:ldaps" class="org.jboss.security.plugins.JaasSecurityDomain">
  <constructor>
    <parameter>ldaps</parameter>
  </constructor>

  <property name="keyStoreURL">localhost.keystore</property>
  <property name="keyStoreAlias">ldaps</property>
  <property name="keyStorePass">changeit</property>

  <property name="trustStoreURL">localhost.truststore</property>
  <property name="trustStorePass">changeit</property>

  <!-- introduce a JMX annotation to export this bean as an MBean -->
  <annotation>@org.jboss.aop.microcontainer.aspects.jmx.JMX(name="jboss.security:service=JaasSecurityDomain,domain=ldaps",exposedInterface=org.jboss.security.plugins.JaasSecurityDomainMBean.class)</annotation>
</bean>

 

Additional Info:

If you require more than one SSLSocketFactory (with different JaasSecurityDomain configurations) you will need to extend JaasSecurityDomainSocketFactory so that each one uses a different system property:

package my.package;

import javax.net.SocketFactory;
import org.jboss.security.ssl.JaasSecurityDomainSocketFactory;

public class MySocketFactory extends JaasSecurityDomainSocketFactory
{

   /**
    * Override to set a different system property name
    */
   protected String getSystemPropertyName()
   {
      return "my.system.property";
   }

   /**
    * Must have a static getDefault method
    */
   public static SocketFactory getDefault()
   {
      return new MySocketFactory();
   }

}